Security Event Log using WMI

Frank Blackwelder Mon, 20 Sep 2004 10:21:24 -0700

Hello all,

I am working on a script to retrieve event log information from several
servers using WMI. I am able to read System and Application information
without any difficulty, but am unable to read any data from the security
log. After googling it seems the problem is with the security level
under which the script accesses WMI. On one of the pages I visited I
found a vbs script that does what I am attempting to do using perl.
Unfortunately I am having no success converting the script and I was
hopping that someone would point out my error.


The relevant section of the vbs script is:
Set EventSet =
GetObject("winmgmts:{impersonationLevel=impersonate,(security)}"). _
        ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile =
'Security'")

What I have so far for perl is:

#!/usr/bin/perl
use strict;
use warnings;
use Win32::OLE('in');
Win32::OLE->Option("Warn"=>3);

# OPTIONS
my $RECORDINFORMATION=1;
my $RECORDWARNINGS=1;
my $RECORDERRORS=1;
my $summaryFile='eventLogSummary.html';
my $logFile='eventLogSummary.log';

my $date=scalar(localtime());
my %htmlConfig;
$htmlConfig{date}="$date";

my $computer=shift || ".";


open (SUMMARY,">$summaryFile") or die "Could not open $summaryFile
$!\n";
startHTML(\%htmlConfig);
my $WMIService =
Win32::OLE->GetObject("winmgmts:{impersonationLevel=impersonate,(securit
y)}");

my $eventLog=$WMIService->ExecQuery("SELECT * FROM Win32_NTLogEvent
WHERE Logfile ='Security'");

print SUMMARY "<h2 align=center>$computer</h2>\n";

foreach my $entry (in $eventLog){
        my @data="";
        my @insertionData="";
        my $flaggedMessage="";
        my $bgColor="";
        my $eventType=$entry->{Type};
        

        if (lc($eventType)eq'error'&& $RECORDERRORS ){
                $flaggedMessage='1';
                $bgColor='red';}
        elsif (lc($eventType)eq'warning' && $RECORDWARNINGS){
                $flaggedMessage='1';
                $bgColor='yellow';}
        elsif (lc($eventType)eq'information' && $RECORDINFORMATION){
                $flaggedMessage='1';
                $bgColor='grey'}
        else 
                {$flaggedMessage='0';}

        if ($flaggedMessage){
                print SUMMARY "<table border=1 cellpadding=2
cellspacing=2 width='600'>\n";
                
                print SUMMARY "<tr><td>Type:</td>\n";
                $eventType=uc($eventType);
                print SUMMARY "<td bgColor=$bgColor>$eventType</td>\n";
                print SUMMARY "<td>Logfile:</td>\n";
                print SUMMARY "<td>$entry->{Logfile}</td></tr>\n";
                
                
                print SUMMARY "<tr><td>ComputerName:</td>\n";
                print SUMMARY "<td>$entry->{ComputerName}</td>\n";
                print SUMMARY "<td>User:</td>\n";
                print SUMMARY "<td>$entry->{User}</td></tr>\n";
        
                print SUMMARY "<tr><td>EventCode:</td>\n";
                print SUMMARY "<td>$entry->{EventCode}</td>\n";
                my $eventID = $entry->{EventIdentifier};
                # the eventid must be anded with 0xffff to 
                # display the true event id as report by
                # event viewer
                $eventID = $eventID & 0xffff;
                print SUMMARY "<td>EventIdentifier:</td>\n";
                print SUMMARY "<td>$eventID</td></tr>";


                print SUMMARY "<tr><td>RecordNumber:</td>\n";
                print SUMMARY "<td>$entry->{RecordNumber}</td>\n";
                print SUMMARY "<td>SourceName: </td>\n";
                print SUMMARY "<td>$entry->{SourceName}</td></tr>\n";

                my $timeGenerated=WMIDate($entry->{TimeGenerated});     
                print SUMMARY "<tr><td>TimeGenerated:</td>\n";
                print SUMMARY "<td>$timeGenerated</td>\n";
                my $timeWritten=WMIDate($entry->{TimeWritten});
                print SUMMARY "<td>TimeWritten:</td>\n";
                print SUMMARY "<td>$timeWritten</td></tr>\n";

                print SUMMARY "<tr><td>Message:</td>\n";
                print SUMMARY "<td
colspan=3>$entry->{Message}</tr></td>\n";

                if ($entry->{InsertionStrings}){
                        my $insertionArray=$entry->{InsertionStrings};
                        @[EMAIL PROTECTED];
                        print SUMMARY
"<tr><td>InsertionStrings:</td>\n";
                        print SUMMARY "<td
colspan=3>@insertionData</td></tr>\n";
                }
                        
                print SUMMARY "<BR><BR>\n";
                endHTML();
        }
}

###########################
sub WMIDate{

my $value=shift;
chomp $value;
my
$date=substr($value,4,2)."/".substr($value,6,2)."/".substr($value,0,4);
my
$time=substr($value,8,2).":".substr($value,10,2).":".substr($value,12,2)
;
my $retValue="Date: $date, Time: $time";
return $retValue;
        
}



###########################
# print expected html header information to 
# static File
sub startHTML{
my $config=shift;
print SUMMARY "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01
Transitional//EN'>";
print SUMMARY "<html>\n<head>\n";
print SUMMARY "<title>Event Log Summary for $$config{date}</title>\n";
print SUMMARY "</head>\n<body>\n"
}

############################
# print expected html footer
sub endHTML{
print SUMMARY " </body> </html>\n"
}

Any help you could offer would be greatly appreciated.
Frank Blackwelder

_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs

Security Event Log using WMI

Reply via email to